Microsoft Hit By Phone Tracking Lawsuit

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,

Microsoft is collecting geo-location data from Windows Phone 7 users who decline to share their data, it is claimed

A lawsuit filed in Washington state accused Microsoft of tracking Windows Phone users without their consent even after users have opted out of information sharing.

Microsoft is allegedly developing a targeted location-based advertisement system and is using Windows Phone users to collect the information about the locations of cell towers and wireless networks, said plaintiff Rebecca Cousineau in court documents filed with United States District Court in Seattle on 31 August. The complaint claimed Microsoft chose to collect the information from photographs taken by users with phones running Windows Phone 7 without user consent.

Data collection

Microsoft allegedly performs the data collection through the camera application on Windows Phone devices, the lawsuit said. Microsoft asks the user for permission to use location-based data the first time the camera application is launched, but allegedly ignores the user’s response.

“Microsoft brazenly continues to collect users’ location information, regardless of whether or not the individual chooses ‘cancel’ so as to not allow such information to be tracked,” the complaint said

The lawsuit is based on recent research by Samy Kamkar, who found that Windows Phone 7’s default camera app periodically transmits information collected from Wi-Fi networks and cell towers to a host system owned by Microsoft. Even if the user opted out of sharing geo-location data, information such as the longitude and latitude of the cell tower, the phone’s unique identifiers and the applications installed on the device, are being transmitted, Kamkar said.

Kamkar is best known for creating the MySpace worm and the “evercookie”, a specialised tracking cookie that can’t be deleted. He tested the app on Samsung Omnia 7 phones running Windows Phone 7.0.70004 and 7.0.7392.

Microsoft is investigating the complaints raised in the lawsuit but denied that it stored unique identifiers with anything saved in the location database. The identifiers under debate are the ApplicationID, which is associated with an app installed on the device, ClientGuid and DeviceID, two unique identifiers for the device and TrackingID, which identifies each packet sent from the phone.

Apple faced a similar class action suit this spring after security researchers presented a paper that described a “feature” in the iPhone that secretly saved the movements and locations of iPhone users by saving cell tower locations and wireless networks.

Cell tower locations

Apple said the feature was intended to assemble a map of cell phone tower locations to improve user connectivity. The goal was not to track user movements, according to Apple, which contended it was due to a bug that the historic information wasn’t being deleted. Apple rolled out a patch shortly after to “fix” the bug and to also encrypt the file so that it wouldn’t be so readily accessible.

The lawsuit accuses Microsoft of violating federal laws and of submitting false testimony to Congress about its activities. The testimony refers to a letter Microsoft sent to Congress in May, shortly after Apple’s supposed location-tracking came to light. “Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information,” the company told federal lawmakers.

Cousineau asked Microsoft to pay $1,000 (£617) per violation of the applicable federal laws. The penalties would be due to herself and others if the lawsuit becomes a class-action suit.